Perhaps no aspect of the internet has grown so broadly in the past decade as social media.

From its infancy at sites like MySpace, Friendster, and “TheFacebook” (originally open only to students at select colleges), to the current industry leaders of Facebook (now open to all, and touting more than 1.7 billion monthly active users); Twitter (313 million monthly active users); and LinkedIn (450 million users), social media can be—and usually is—a major part of any company’s online presence.

Social media provides new avenues for interaction with customers; in fact, many younger users prefer communicating online to more traditional methods such as telephone calls, letters, e-mails, or even in-person customer service centers. But with such opportunities come new challenges.

For example, what happens when a financial institution’s Twitter account, which is used primarily for one-way communications (i.e., company announcements), receives replies or direct messages from users complaining about their individual accounts? It seems like good customer service to respond and assist those customers. But what obligations does that create when it comes to inquiries from regulators?

As institutions increase their online presence and become more active on social media, these considerations likewise take on an increasing importance. With a well thought-out social media plan that considers e-discovery ramifications—in both the litigation and regulatory fields—companies can manage to improve their customers’ experience while still properly managing the attendant risks. This article will discuss various regulatory and enforcement considerations impacting companies’ social media usage.

Maintain a tailored social media policy (and stick to it)

Every company is different—each has different practices, different needs, different cultures, different regulatory requirements, and different customers. For this reason, companies implementing comprehensive social media policies should tailor those policies to their own unique business and regulatory needs.

Responding to inbound social. One important way to address a company’s specific social media needs is to provide discrete guidance in the social media policy regarding how and when to respond to certain communications—and adhere to that guidance.

For example, a company with a small customer base may wish to respond to every communication made via social media from an actual customer (or someone who is assumed to be a customer). On the other hand, a company with hundreds of thousands of customers (and an active social media presence) may find such an effort impossible.

Regardless of a company’s approach, it is important to document such a decision; implement it with employees; train them appropriately, and stick to that plan. It is harder to justify not responding to one complaint received in a thread of thousands of Facebook comments when company policy states that it reviews and responds to every complaint received via social media.

Retaining social “documents.” Another related consideration is whether and how to implement document retention policies for social media communications.

Social media presents unique challenges in making these decisions, in part because data related to social media accounts is not stored on company servers. Instead, it is hosted by the site itself. Users are able to delete and edit their posts, but as anyone who has spent any time on the internet knows, something can never truly be deleted from the internet.

For example, internet sites like The Internet Archive attempt to maintain a record of sites and posts that are no longer “live,” and the now-defunct PostGhost captured deleted tweets of any Twitter account with more than 10,000 followers until Twitter responded with a cease-and-desist order for violations of its terms of service.

Thus, even policies that call for the retention of social media communications may be difficult to effectively implement, while policies requiring regular deletion of social media posts likewise may not be completely effective in removing all traces of old posts.

Collecting social posts. Forensic collection of social media data presents its own challenges, as this data cannot simply be collected in the same manner as email and other electronic documents.

Social media collection tools are still in their infancy, and the technology that does exist only works on certain sites and can quickly become obsolete whenever a social media site is updated. That said, many social media sites now offer export functionality, which allows some data to be exported into a user-generated file and may be sufficient in certain e-discovery contexts. Companies faced with inquiries that potentially touch on social media accounts under their control should consider discussing collection options with their counsel early on in order to understand what is possible in relation to their matter.

Following the rules—each of them. Similarly, social media policies should also reflect the regulatory framework governing each company—and should explicitly consider how a social media program will be viewed by regulators, such as the Consumer Financial Protection Bureau, the Comptroller’s Office, and others. Regulators such as the Federal Trade Commission, Securities and Exchange Commission, and the New York Department of Financial Services have provided some limited guidance as to expectations related to social media. 1

FTC appears to be the most “active” regulator, having recently communicated with “influencers” and “brands” regarding the sufficiency of their online disclosures—including on social media platforms—related to product endorsements.2 It would not be surprising if more regulators followed suit with similar (or even more robust) guidance in the future.

In the meantime, it is worth noting that some regulators have begun to request information and documentation concerning social media when sending subpoenas and civil investigative demands. Further, regulators who inquire about complaints regarding certain issues under investigation may include complaints received through social media.

Customer complaints. One area of emerging regulatory focus for financial institutions in particular appears to be the issue of how to handle customer complaints that are received through social media.

Social media is a two-way street. Although this new media gives businesses an unprecedented ability to reach new and current customers, the general public and customers also are able to more easily voice their opinions—positive or negative—regarding businesses with online footprints.

Companies should consider how these complaints are to be handled, whether current policies, practices, and procedures are sufficient, or whether new ones need to be implemented surrounding the intake, processing, responding, resolution and broader tracking of complaints.

The Federal Financial Institutions Examination Council (FFIEC), a consortium of banking regulators, including CFPB, the Fed, FDIC, and OCC, issued joint guidance on the use of social media in December 2013, entitled Social Media: Consumer Compliance Risk Management Guidance. This report raises a number of risk areas relating to online complaints-handling, as well as other key issues, such as:

• Reputational risk arising from improperly managed social media activity (or even the risk posed by baseless or properly-handled complaints).

• The importance of robust compliance risk management programs and supporting policies and procedures relating to social media use by employees and vendors.

• Risks related to social media programs under various statutory and regulatory schemes (including TILA, RESPA, FDCPA, and UDAP/UDAAP).

This wide-ranging report is a strong indication that a growing regulatory framework surrounding financial institutions’ social media conduct may just be around the corner.

Privacy challenge. Another important area that regulators appear to focus on is privacy. The overarching aim of any effective social media policy is to square the circle of balancing privacy concerns with the inherently public nature of social media. And, in many ways, social media is completely antithetical to the notion of privacy in the first place.

This natural tension, however, does not relieve companies with active social media accounts from implementing measures to ensure users’ privacy, nor, of course, does it prevent regulators from questioning companies’ privacy practices relating to social media. In fact, the 2013 FFIEC guidance mentioned above touches on a number of other privacy-related issues, including compliance with the CAN-SPAM Act, TCPA, and COPPA through social media activity and duties surrounding the disclosure of institutions’ privacy policies.

Balancing the costs and benefits

For all of these reasons, it is paramount that companies wishing to set up an active social media presence consult appropriate resources, which may include regulatory and enforcement counsel. There are many benefits to a strong social media footprint, but there also risks—some of which are immediately obvious—while others, such as those revolving around consumer complaints-handling and increasing regulator interest, appear to be emerging issues just on the horizon.

With the appropriate resources, proper guidance, and a well-thought-out plan, companies can enjoy more likes, better interaction with customers, and perhaps fewer #AngryHashtags.

Elizabeth E. McGinn is a partner in the Washington, D.C., and New York offices of Buckley Sandler LLP; John B. Williams and Timothy J. Coley are counsel in the Washington, D.C., office of the firm. They advise clients on consumer financial services, e-discovery, and privacy-related issues.